[tor-relays] max TCP interruption before Tor circuit teardown?
Gordon Morehouse
gordon at morehouse.me
Tue Oct 22 14:25:48 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Gordon Morehouse:
> I'm still waiting for another "storm" to test the 60 sec findtime /
> 90 sec bantime guesses that I made (and just pushed to my repo,
> BTW). Every time my relay crashes due to a storm, it takes me that
> much longer to get Stable back, and the storms are almost
> nonexistent until you have the Stable flag in my observation.
Another circuit-creation storm (detectable as SYN flood on ORPort)
happened last night soon after reattaining my Stable flag (argh!!!)
and the following limits on SYNs to the ORPort were not enough to save
Tor from the oom-killer:
1. Absolute limit avg 4 SYN per second with burst of 10 to ORPort, with
an iptables REJECT (as opposed to DROP) for hosts that send SYNs when
this limit has been reached.
2. 90-second iptables DROP ban for hosts which exceed the above (and are
thus logged) in any 60-second period.
Sigh. More trial and error and another (figurative) century before I
get my Stable flag back.
Best,
- -Gordon M.
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJSZorpAAoJED/jpRoe7/ujVc0H/1w3cteInSXCNekjn76OgDMx
o/RYfiCnlVqOd6ubKOzGXn5nsYqJJpRrIwWE9j2R5/1PqZA6XAR3AbZ9ENPLP9GY
+xxY4ELn4wiQB4zSHuV/OOEwkvxq15XyDTv7mFTVhHwjC5nVV2z3g3rjGIM3735I
HMDQ5mBF9URfn4vTKXrpZ2EWzX44EsP4oAPQqMSwGSpQQ2+cdMlOWmHg257VIDcu
mrYm+lBMOqVq/ns6NMhWE/I9gwkEREK4VvpyIVANk5se+er/fL7cdKenIjciXQem
7fDDZMNov3cNa9M6dHn1yPo2r6lJkuw94M+knmexd7F+rij+vznZ524DQgrOPeI=
=lmst
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list